Skip to content
This repository was archived by the owner on Jul 30, 2021. It is now read-only.

Commit e8bd6e7

Browse files
aaronlevyaaronlevy
authored
Merge pull request #345 from ericchiang/kubelet-tls-auth
use a client cert for API server to kubelet communication
2 parents a138eba + 95ff5d3 commit e8bd6e7

File tree

8 files changed

+17
-1
lines changed

8 files changed

+17
-1
lines changed

hack/multi-node/user-data.sample

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,8 @@ coreos:
2222
ExecStart=/usr/lib/coreos/kubelet-wrapper \
2323
--kubeconfig=/etc/kubernetes/kubeconfig \
2424
--require-kubeconfig \
25+
--client-ca-file=/etc/kubernetes/ca.crt \
26+
--anonymous-auth=false \
2527
--cni-conf-dir=/etc/kubernetes/cni/net.d \
2628
--network-plugin=cni \
2729
--lock-file=/var/run/lock/kubelet.lock \

hack/quickstart/init-master.sh

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,7 @@ function init_master_node() {
5252
chown -R core:core /home/core/assets
5353
mkdir -p /etc/kubernetes
5454
cp /home/core/assets/auth/kubeconfig /etc/kubernetes/
55+
cp /home/core/assets/tls/ca.crt /etc/kubernetes/ca.crt
5556

5657
# Start the kubelet
5758
systemctl enable kubelet; sudo systemctl start kubelet

hack/quickstart/init-worker.sh

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,9 @@ function init_worker_node() {
3434
# Setup kubeconfig
3535
mkdir -p /etc/kubernetes
3636
cp ${KUBECONFIG} /etc/kubernetes/kubeconfig
37+
# Pulled out of the kubeconfig in extract_master_endpoint. Other installations should
38+
# place the root CA here manually.
39+
cp /home/core/ca.crt /etc/kubernetes/ca.crt
3740

3841
sed "s/{{apiserver}}/${MASTER_PRIV}/" /home/core/kubelet.worker > /etc/systemd/system/kubelet.service
3942
rm /home/core/kubelet.worker

hack/quickstart/kubelet.master

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@ ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/run/kubelet-pod.uuid
1515
ExecStart=/usr/lib/coreos/kubelet-wrapper \
1616
--api-servers=https://${COREOS_PRIVATE_IPV4}:443 \
1717
--kubeconfig=/etc/kubernetes/kubeconfig \
18+
--client-ca-file=/etc/kubernetes/ca.crt \
19+
--anonymous-auth=false \
1820
--cni-conf-dir=/etc/kubernetes/cni/net.d \
1921
--network-plugin=cni \
2022
--lock-file=/var/run/lock/kubelet.lock \

hack/quickstart/kubelet.worker

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,8 @@ ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/run/kubelet-pod.uuid
1313
ExecStart=/usr/lib/coreos/kubelet-wrapper \
1414
--api-servers=https://{{apiserver}}:443 \
1515
--kubeconfig=/etc/kubernetes/kubeconfig \
16+
--client-ca-file=/etc/kubernetes/ca.crt \
17+
--anonymous-auth=false \
1618
--cni-conf-dir=/etc/kubernetes/cni/net.d \
1719
--network-plugin=cni \
1820
--lock-file=/var/run/lock/kubelet.lock \

hack/single-node/user-data.sample

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,8 @@ coreos:
3030
ExecStart=/usr/lib/coreos/kubelet-wrapper \
3131
--kubeconfig=/etc/kubernetes/kubeconfig \
3232
--require-kubeconfig \
33+
--client-ca-file=/etc/kubernetes/ca.crt \
34+
--anonymous-auth=false \
3335
--cni-conf-dir=/etc/kubernetes/cni/net.d \
3436
--network-plugin=cni \
3537
--lock-file=/var/run/lock/kubelet.lock \

pkg/asset/internal/templates.go

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -167,6 +167,8 @@ spec:
167167
- --runtime-config=api/all=true
168168
- --tls-cert-file=/etc/kubernetes/secrets/apiserver.crt
169169
- --tls-private-key-file=/etc/kubernetes/secrets/apiserver.key
170+
- --kubelet-client-certificate=/etc/kubernetes/secrets/apiserver.crt
171+
- --kubelet-client-key=/etc/kubernetes/secrets/apiserver.key
170172
- --service-account-key-file=/etc/kubernetes/secrets/service-account.pub
171173
- --client-ca-file=/etc/kubernetes/secrets/ca.crt
172174
- --authorization-mode=RBAC
@@ -216,7 +218,7 @@ spec:
216218
hostNetwork: true
217219
containers:
218220
- name: checkpoint-installer
219-
image: quay.io/coreos/pod-checkpointer:5b585a2d731173713fa6871c436f6c53fa17f754
221+
image: quay.io/coreos/pod-checkpointer:417b8f7552ccf3db192ba1e5472e524848f0eb5f
220222
command:
221223
- /checkpoint-installer.sh
222224
volumeMounts:

pkg/bootkube/bootkube.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -92,6 +92,8 @@ func makeAPIServerFlags(config Config) ([]string, error) {
9292
"--allow-privileged=true",
9393
"--tls-private-key-file=" + filepath.Join(config.AssetDir, asset.AssetPathAPIServerKey),
9494
"--tls-cert-file=" + filepath.Join(config.AssetDir, asset.AssetPathAPIServerCert),
95+
"--kubelet-client-key=" + filepath.Join(config.AssetDir, asset.AssetPathAPIServerKey),
96+
"--kubelet-client-certificate=" + filepath.Join(config.AssetDir, asset.AssetPathAPIServerCert),
9597
"--client-ca-file=" + filepath.Join(config.AssetDir, asset.AssetPathCACert),
9698
"--authorization-mode=RBAC",
9799
"--etcd-servers=" + config.EtcdServer.String(),

0 commit comments

Comments
 (0)